TDGSS LdapServerName Property | Teradata Vantage - 17.10 - LdapServerName - Advanced SQL Engine - Teradata Database

Teradata Vantage™ - Advanced SQL Engine Security Administration

Product
Advanced SQL Engine
Teradata Database
Release Number
17.10
Release Date
July 2021
Content Type
Administration
Security
Publication ID
B035-1100-171K
Language
English (United States)

The value of the LdapServerName property tells TDGSS which directory to use for authentication and authorization of directory users.

Valid Settings

  • "", that is, _ldap._tcp (default)
  • A valid URI or DNS SRV RR specification.

Sample Configuration for a LDAP Uniform Resource Identifier

"resource_identifier [...]"
resource_identifier
scheme://server[:port]/

The resource identifiers must be separated by spaces. The entire string, including double quotation marks, cannot exceed 256 characters.

Syntax Elements

scheme
A valid URL scheme: ldap, ldaps, gc, or gcs.
server
The FQDN or IP address of the directory server.
Do not use a server IP address with Active Directory and DIGEST-MD5. DIGEST-MD5 is deprecated.
For fail-over protection, you can specify multiple directory servers, beginning with the primary server. TDGSS selects servers from the list in the order configured. If a server is unavailable, TDGSS tries the next server on the list.
For configuring systems connected to multiple directory services, see Creating the <LdapConfig> Section in the TdgssUserConfigFile.xml.
port
[Optional] The LDAP service port.
Default behavior: The system uses the default port designation for the specified scheme, for example:
  • ldap (389)
  • ldaps (636)
  • gc (3268)
  • gcs (3269)

Configuring DNS SRV Resource Records (RRs)

You can configure the LdapServerName property to tell LDAP to select an authenticating directory at random, from the DNS domain SVR RRs, if the RRs conform to IETF RFC 2782.

For details, see the following table or go to: http://www.ietf.org/rfc/rfc2782.txt.

Property Component and Value Description
Specify the default domain:

_scheme._tcp or “”.

Directs TDGSS to select a directory from those listed in the SRV RRs for the default domain.
Specify a non-default domain:

_scheme._tcp.domain_name

Directs TDGSS to select a directory from those listed in SRV RRs for the domain you specify.
Configure a site-aware domain name, for example:

_ldap._tcp.site_name._sites.domain

Directs TDGSS to select a directory that is local to the Teradata Vantage system to which the user logs on, from the SRV RRs for the domain. Also see Configuring LDAP for Site-Aware Authentication.

Editing Guidelines

  • LdapServerName appears by default in the LDAP mechanism. You must add LdapServerName to KRB5 and SPNEGO and specify a value if AuthorizationSupported=yes.
  • You must configure this property for any mechanism with AuthorizationSupported =yes.
  • Edit this property on database nodes and on the Unity server, if used.
  • If the default associated with the domain scheme is not the correct port, you can use the URI method to specify another port.
  • You can use the _ldaps._tcp or _gcs._tcp scheme to automatically enable SSL protection.
  • If the directory is not Active Directory, and you specify _ldaps._tcp or _gcs._tcp, you may need to manually register the location of the directory service in the DNS. For Active Directory, the process is automatic.
  • You can use the LdapServerName property to provide directory fail-over protection, by specifying multiple directory servers in a space-separated list.
  • If you use the LdapServerName property to configure site-aware authentication:
    • If the DNS service for the domain in which the database resides is not the one where Active Directory registers its site-aware DNS SRV RRs (that is, a “foreign” service), then you must also manually configure the site-aware SRV RRs in the foreign DNS service. See Configuring LDAP for Site-Aware Authentication.
    • If configuring LDAP in a Unity environment, the configuration on the Unity server and on a connected database do not have to match if users directly logging on to the database and those logging on through the Unity server are authenticated in different directories. Also see Coordinating Mechanism Property Values for Unity.
    • If users directly logging on to a database and those logging on through the Unity server are authenticated by the same directory, the LdapServerName configuration for the database and the Unity server should match.
    • If you configure multiple directory services, you need to configure an LdapServerName for each service entry. See Configuring LDAP to Use Multiple Directory Services.